Summary
At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the @id or other resources present within the activity it has received from the web. This activity could reference an @id that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server's network.
This applies to not just resolution of documents containing activities or objects, but also to media URLs as well.
Specifically this is a Server Side Request Forgery attack. You can learn more about SSRF attacks via CWE-918
Details
When Fedify makes a request at runtime via the DocLoader [1] [2], the fetch API does not first check the URI's to assert that it resolve to a public IP address. Additionally, any downstream software of Fedify that may fetch data from URIs contained within Activities or Objects maybe be at risk of requesting non-public resources, and storing those, exposing non-public information to the public.
Additionally, in many cases the URIs are not asserted to be either strictly HTTPS or HTTP protocols, which could lead to further attacks, and there is no check that the URI contains a hostname part. Whilst the fetch() specification may provide some safety here, along with underlying fetch implementations, there is still potential for attacks through using data: URIs, or just attacking some other protocol entirely, e.g., FTP or CalDav.
[1] https://github.com/dahlia/fedify/blob/main/runtime/docloader.ts#L141
[2] https://github.com/dahlia/fedify/blob/main/runtime/docloader.ts#L175
Deno-specific Attack Vectors
In Deno specifically, the fetch() API allows accessing local filesystem, I'm not sure how Deno's Permissions model may prevent attacks utilising file: URIs.
Fetch also supports fetching from file URLs to retrieve static files. For more info on static files, see the filesystem API documentation.
ActivityPub Security Considerations
This is also noted in the ActivityPub spec in Section B.3 Security Considerations, however, there it is more limited in scope.
Other Implementations
It may be acceptable to allow a server operator to allow access to given non-public IP addresses, for instance in Mastodon they allow requests to non-public IP addresses, i.e., localhost in development and those in the ALLOWED_PRIVATE_ADDRESSES environment variable.
PoC
I'm not sure a PoC is necessary given this is a reasonably well known vulnerability vector.
Notes for resolution:
When implementing public IP address validation, be careful of CWE-1389 and CWE-1286 both of which recently caused a CVE to be filed against the popular node.js ip package, although this package was not originally intended for security purposes.
Impact
This impacts server operates, as resources that are internal to their network may find themselves being improperly accessed or potentially even attacked or exposed to the public.
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
CVE-2024-39687 has a CVSS score of 7.2 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.9.2, 0.10.2, 0.11.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
@fedify/fedify to 0.9.2 or later; @fedify/fedify to 0.10.2 or later; @fedify/fedify to 0.11.2 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2024-39687? CVE-2024-39687 is a medium-severity server-side request forgery (SSRF) vulnerability in @fedify/fedify (npm), affecting versions < 0.9.2. It is fixed in 0.9.2, 0.10.2, 0.11.2. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
- How severe is CVE-2024-39687? CVE-2024-39687 has a CVSS score of 7.2 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @fedify/fedify are affected by CVE-2024-39687? @fedify/fedify (npm) versions < 0.9.2 is affected.
- Is there a fix for CVE-2024-39687? Yes. CVE-2024-39687 is fixed in 0.9.2, 0.10.2, 0.11.2. Upgrade to this version or later.
- Is CVE-2024-39687 exploitable, and should I be worried? Whether CVE-2024-39687 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-39687 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-39687?
- Upgrade
@fedify/fedifyto 0.9.2 or later - Upgrade
@fedify/fedifyto 0.10.2 or later - Upgrade
@fedify/fedifyto 0.11.2 or later
- Upgrade